Contents
Key Store
Generate Private Key
* Generate a self-signed keypair with:
– alias: myhost
– CN: CN=myhost.mytest.local, OU=Lab, O=My Test, L=Reston, S=Virginia, C=US
– key algorithm: RSA
– key size: 2048
– signature algorithm: SHA1withRSA
– valid for: 360 days
– protected by password: secret
* Stored in a Java key store file:
– named: myhost.jks
– with password: secret
keytool -genkey -alias myhost -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore myhost.jks -storepass secret -keypass secret -dname "CN=myhost.mytest.local, OU=Lab, O=My Test, L=Reston, S=Virginia, C=US" -validity 360
Inspect keys
* Print out details about key with alias myhost
keytool -list -v -alias myhost -keystore myhost.jks
Generate CSR
keytool -certreq -alias myhost -sigalg SHA1withRSA -file myhost.csr -keystore myhost.jks
Import Signed Cert
* Need to append ca_root.cer to signed.cer so that both can be imported at once.
keytool -import -v -keystore myhost.jks -alias myhost -storepass secret -file signed.cer
Delete a Key
keytool -delete -alias myhost -keystore myhost.jks -storepass secret
Transfer Private Key from One Keystore to Another
keytool -importkeystore -srckeystore srckeystore.jks -srcstorepass changeit -srckeypass changeit -destkeystore destkeystore.jks -deststorepass changeit -destkeypass changeit -alias test
Print cert used by a remote site
keytool -printcert -sslserver $host[:$port] keytool -printcert -sslserver www.google.com:443 # Output RFC format (cert files) keytool -printcert -rfc -sslserver www.google.com:443
References
* Java 7 keytool – Key and Certificate Management Tool
* The Most Common Java Keytool Keystore Commands